Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

csp header css update #1343

Merged
merged 2 commits into from
Jun 5, 2024
Merged

csp header css update #1343

merged 2 commits into from
Jun 5, 2024

Conversation

rBangay
Copy link
Contributor

@rBangay rBangay commented Jun 5, 2024
edited by johnduffell
Loading

What does this change?

Change invalid default-style to the correct style-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

This will allow inline styles for <style> and <link> tags as well as inline style attribute.

This is not a welcome attribute but a necessary one in order to implement a csp header in manage. Hopefully at a later date we can look into using a hash or nonce to validate specific inline sources.

specifically specify style and link attribute css as well as inline s…
337ee45 
…tyle attribute css in the csp header. We don't want to be doing this but is a nesacery step to implementing a csp header until we can look more closely at verifying sources either with a hash or nonce
@rBangay rBangay requested a review from a team as a code owner June 5, 2024 09:28
johnduffell
johnduffell reviewed Jun 5, 2024
View reviewed changes
server/server.ts Outdated Show resolved Hide resolved
johnduffell
johnduffell approved these changes Jun 5, 2024
View reviewed changes
Copy link
Member

@johnduffell johnduffell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comment for suggestion - this csp malarky is hard!

tjmw
tjmw approved these changes Jun 5, 2024
View reviewed changes
Copy link
Member

@tjmw tjmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM too! (Pending John's comment about being able to remove style-src-elem).

@rBangay @johnduffell
Update server/server.ts
c001ed9 
remove unnecessary line

Co-authored-by: John Duffell <john.duffell@guardian.co.uk>
@rBangay rBangay merged commit f08b685 into main Jun 5, 2024
11 checks passed
@rBangay rBangay deleted the csp-style-inline branch June 5, 2024 13:36
@prout-bot
Copy link
Collaborator

Seen on PROD (merged by @rBangay 10 minutes and 37 seconds ago) Please check your changes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjmw tjmw tjmw approved these changes

@johnduffell johnduffell johnduffell approved these changes

Assignees
No one assigned
Labels
Seen-on-PROD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rBangay @prout-bot @tjmw @johnduffell